Azure Virtual Desktop your account is configured to prevent you from using this device

Pre-requisites

If you want to join an Active Directory domain, you will need domain join credentials and connectivity to a domain controller. This could be an Azure VM running either in the same VNet or in another VNet with the appropriate network rules in place, or a domain controller running on-premise if you have ExpressRoute or a VPN between your site and your Azure VNet.

More recently, Azure AD join has been rolled out to AVD. There aren't any pre-requisites as such for this, however there are a few extra steps along the way which are required for users to be permitted to log on to an AzureAD joined host.

For both options, your users need to be in Active Directory and synced to Azure AD. At some point in the future this requirement will be dropped for Azure AD joined hosts, supporting cloud-only user accounts.

Licensing

AVD can run a few different versions of Windows, each has its own licensing requirement:

• Windows 10 [or 11] Enterprise multi-session: Windows A3/A5/E3/E5 or M365 A3/A5/E3/E5/F3/Business Premium
• Windows 7 Enterprise: Same as Windows 10/11
• Windows Server 2012R2 and above: RDS CAL with Software Assurance
  

Create the Host Pool

Our first step is creating the host pool. Open the Azure portal and head to Azure Virtual Desktop > Host pools and click on Create.

For production environment I'd recommend making a new resource group for this. If you're going with AzureAD joined, there are some settings we need to apply to all host VMs a bit later one which are easier if we can just apply them at the resource group level and let inheritance take place.

Generally I set Host pool type to Pooled - this will allow multiple users to log on to each host, vs dedicating a host to a user.

There are two load balancing algorithms to choose from:

• Breadth-first: Distributes new connections across all hosts in the pool
• Depth-first: Distributes new connections by filling each host to its maximum count before starting on the next host
  

Finally max session limit - if you are using depth-first load balancing, or plan to use auto-scaling, you'll need to put a number in here which denotes the maximum concurrent sessions you want on each host.

Moving on to the next page, Virtual Machines. Here we will configure the resource group, VM name prefix, location and availability options for our VMs. Select the image you want from the gallery [you can upload a custom image and select that here, but I will cover that in a future post], along with the VM size you wish to use, and the number of VMs.

When considering the size of the VM you want to use - I tend to go for multiple smaller VMs over one or two huge VMs as it makes it easier to take a host VM down for maintenance without vastly reducing the availability. Another factor to consider with sizing is what kind of load you are expecting, and how much you want to watch the budget. With multiple, smaller VMs you can shut down most of your host pool overnight to save costs, and boot them back up when the workload is predicted to be higher. With the 'Start on connect' feature you can even turn ALL the host pool off, and it will boot up a VM automatically when a user tries to connect.

Scrolling down, fill out the network details and domain join type. If you are joining an AD domain you'll need the UPN and password for an account which can create computer objects in the domain. If you're joining Azure AD, you can also enroll the VMs with Intune if you like.

Finally, set the VM local administrator account credentials, and complete the setup process.

Once it's spent a while deploying the host pool servers, you should then be able to click on the host pool and see an overview screen like below.

Login to Windows virtual machine in Azure using Azure Active Directory authentication

Organizations can now improve the security of Windows virtual machines [VMs] in Azure by integrating with Azure Active Directory [AD] authentication. You can now use Azure AD as a core authentication platform to RDP into a Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later. Additionally, you will be able to centrally control and enforce Azure RBAC and Conditional Access policies that allow or deny access to the VMs. This article shows you how to create and configure a Windows VM and login with Azure AD based authentication.

There are many security benefits of using Azure AD based authentication to login to Windows VMs in Azure, including:

• Use your corporate AD credentials to login to Windows VMs in Azure.
• Reduce your reliance on local administrator accounts, you do not need to worry about credential loss/theft, users configuring weak credentials etc.
• Password complexity and password lifetime policies configured for your Azure AD directory help secure Windows VMs as well.
• With Azure role-based access control [Azure RBAC], specify who can login to a VM as a regular user or with administrator privileges. When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. When employees leave your organization and their user account is disabled or removed from Azure AD, they no longer have access to your resources.
• With Conditional Access, configure policies to require multi-factor authentication and other signals such as low user and sign in risk before you can RDP to Windows VMs.
• Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag use of no approved local account on the VMs.
• Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services.
• Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. Auto MDM enrollment requires Azure AD P1 license. Windows Server 2019 VMs do not support MDM enrollment.

[!NOTE] Once you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like on-premises AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by uninstalling the extension.

Assumptions

The following represent the assumptions when considering to deploy Azure Virtual Desktop.

• The agency already has a suitable Azure deployment or is planning an Azure deployment within the Australian Azure regions, with appropriate controls implemented up to Protected.
• Licensing is available for Windows 10 Enterprise multi-session, Windows 10 Enterprise and FSLogix.
  • Microsoft 365 E3, E5
  • Windows E3, E5
• Adequate storage is provisioned for the expected number of users. Recommendation of a minimum of 30GB per-user for the Windows profile hosted with the FSLogix solution.
• The agency has read the client devices blueprint and ensures the ACSC Windows 10 hardening guidelines are being adhered to in relation to the AVD Windows 10 session hosts.

Prerequisites

The following represent the prerequisites before deploying Azure Virtual Desktop.

• Optional but recommended for this pattern - Infrastructure with a configured Azure AD tenant and an Active Directory Domain Services [AD DS] that can sync with Azure AD. AVD previously required session host virtual machines to be domain-joined to an AD DS domain to manage the machines computer object and provide policy and authentication. Depending on the Active Directory architecture chosen – hybrid or cloud native, AVD can be configured to domain-join an existing on-premises AD DS domain [over VPN or ExpressRoute], or a cloud-only Azure AD Domain Services [PaaS] hosted in Azure.

Cloud native:

• Azure AD Connect synced to a cloud-only AD DS IaaS [Infrastructure as a Service] within the Azure deployment, or
• Azure AD DS PaaS configured within the Azure deployment [automatically synchronised to Azure AD], or
• Agencies can choose to opt out of a AD DS infrastructure and use native Azure AD join with Intune management, but there are caveats that need to be assessed [see Active Directory below].

Hybrid:

• Azure AD Connect connected to AD DS [on-premises or hosted in Azure]
• An Azure subscription that contains a virtual network that can connect to the AD DS domain.

Platform components

Active Directory

Microsoft Windows Server Active Directory Domain Services [AD DS] and Azure Active Directory [AAD] maintain records of information required to identify services, users and other resources on the network. A domain is a security boundary that exists within AD, and all user accounts are based on domain membership.

Previously, AVD required session host virtual machines [the virtual desktops] to be domain-joined to an AD DS domain to manage the machines computer object and provide policy and authentication. AVD session hosts can now be joined to Azure Active Directory natively [without AD DS hybrid join] and can be managed by Intune, this includes delivery of security policy. Note that with this option, Intune policy support is limited to policies targeted to the O/S scope and not the user scope with multi-session AVD session hosts, and only local profiles are available. Due to current limitations, the pattern currently recommends deploying AVD with Active Directory Domain services to ensure there is full security policy scope for users and the operating system itself, and the user experience is not impacted. See Using Azure Virtual Desktop multi-session with Microsoft Endpoint Manager.

Depending on the Active Directory architecture chosen – hybrid or cloud native, AVD can be configured to domain-join an existing on-premises AD DS domain [over VPN or ExpressRoute], or a cloud-only Azure AD Domain Services [PaaS] that is hosted in Azure.

The following table outlines the environment specific infrastructure configurations and considerations for Active Directory services for the solution.

Active Directory Design Decisions for the solution

The following figure outlines a suggested AD DS OU Structure with proposed OUs to accommodate the Virtual Desktop and hybrid joined devices.

Group policies

Group policies provide a user experience tailored to the needs and security requirements of an organisation. Policies are created and managed using the Group Policy Management Console [GPMC]. Group policy is still required for session hosts when using pooled-random multi-session hosts, which is currently not supported with Intune.

The following tables describe the Group Policy design decisions for the solution.

Personalisation and profile management

User profiles and personalisation enable users to configure an application or desktop setting and have that setting retained the next time they login or roam to another computer. This is extremely important when using a virtual desktop, as the local Windows profile is generally always not present for each new virtual desktop login, this can impede the user performance as it can increase user login times and cause issues with applications missing configuration on virtual desktop sessions.

Each user group, regardless of the required level of personalisation, should have a profile that determines how the user’s settings will or will not persist across sessions. Part of the profile configuration includes folder redirection to better optimise the profile.

Microsoft includes several standard options for user profiles, or personalisation. Alternatively, technologies such as Microsoft UE-V and FSLogix, can be used to address user profile and personalisation requirements. If no user profile is configured, a desktop local profile is used, which is seldom optimal.

Microsoft provide the following profile management solutions:

• Local Profiles – Are created and stored on each workstation the user logs on to.
• Mandatory Profiles – A profile that does not save profile changes.
• Roaming Profiles – A network-based profile that allows user settings to be saved.
• Microsoft UE-V – Provides personalisation that operates at the application layer delivering a user’s personal Windows experience across many devices, regardless of Windows or the applications are deployed physically or virtually. UE-V templates are created to specify which application settings and files are captured and roamed between sessions.
• FSLogix – Provides a full profile solution in addition to addressing issues when deploying Office 365 in a non-persistent VDI/RDS environment. Using the Profile Container and/or Office 365 Container data is cached locally helping avoid disruptions or application instability during brief storage interruptions like network switch resets or storage controller failovers. This cache sits between the user’s desktop and the remote container storage [SMB file share or cloud cache functionality] and is configured either to persist between logons or start fresh each time the user logs in.
• Folder Redirection – Enables certain folders, such as Documents and AppData, to be redirected. This enables user data such as documents and email configuration, to not be loaded at login, which can improve performance when loading profiles. However, some applications communicate with the AppData frequently, making the application appear slow when this folder is redirected.

FSLogix considerations

FSLogix provides various functionality and advanced profile configurations that can further optimise the virtual desktop experience:

• Simplification of gold image versioning via the use of application masking. This feature allows the base image to include most optional applications to be installed inside the gold image, while only presenting these applications to authorised users. This simplifies gold image management and application delivery and is relatively simple to setup. For further guidance on this this configuration see Implement Application Masking Tutorial.
• Management of Java versioning used for various URLs and applications, for those agencies running multiple java runtimes within the desktop.
• Use of redirections.xml with profile management provides the ability to control which portions of the profile [in the C: drive] are redirected out to the remote profile and kept in sync. Exclusions can optimise the desktop environment and are sometimes used to make an application work within a virtual environment. Microsoft recommend using this feature with caution and to only include exclusions where they are fully understood.
• Cloud Cache is a configuration option that provides greater resilience for the user profile outside of the standard VHDLocations configuration which only provides a mounted remote location for the users profile, this can be subject to availability constraints. The use of Cloud Cache in previous versions of FSLogix introduced a ‘logon tax’ meaning logon times were slower than using VHDLocations, at the expense of resilience and availability. Cloud Cache performance has not yet been validated within this pattern. Agencies are encouraged to assess this feature - which can greatly improve resilience if resilience and availability is a concern. For more information on this architecture, see Cloud Cache for resiliency and availability.

The following table describes the Profile Management design decisions for the solution.

The following table describes Personalisation and Profile Management design decisions for the solution. These settings will be configured via ADMX Group Policy.

Note, settings not specifically called out assume the default configuration.

The following table includes FSLogix Office 365 Container Configuration.

Resource Tags can be applied to objects within Azure to organise them into categories. Using Tags, resources can be retrieved from multiple Resource Groups. Tags enable simplified management and Azure billing capability.

A Resource Tag is comprised of a Key and a Value. Both are defined by an administrator.

The following tables describe the Azure Resource Tags design decisions for the solution.

1. Managing identity and devices

Users always sign into their AVD sessions using their Azure AD credentials, so it’s vital that you protect this identity. You’ll also need to consider which devices they’ll be using to connect to their sessions.

You can protect your users’ ID and control the devices they can use to access the virtual desktops in two ways – by enabling multi-factor authentication [MFA] for users in Azure AD, then by using Conditional Access to apply MFA for the Azure WVD client itself. This mitigates risk and significantly improves overall AVD security.

• MFA: enabling MFA for all users and admins in AVD improves the overall security of your AVD deployment.
• Conditional Access: along with MFA, Conditional Access enables your admin to select which specific users should be granted access based on which devices they are using, their location and how they sign in etc.

For further guidance, these Microsoft tutorials explain how to setup MFA and Conditional Access when using Azure Virtual Desktop. This video from The Azure Academy also provides useful guidance about setting up MFA and conditional access.

2. Protecting session host virtual machines from external threats

Having protected the identity of the users accessing the AVD service, it is important to protect the session hosts themselves including your operating system, applications and network.

Use Network Security Groups and firewalls

The virtual machines and virtual network deployed as part of your AVD deployment are key endpoints and securing these determines the overall effectiveness of your security. The inbound and outbound networking rules and regulation of your overall network traffic to the virtual machines affects their exposure to external threats and hackers.

You should at least configure a Network Security Group [NSG] and attach it to the subnets that your Azure Virtual Desktop session hosts are deployed in to protect them.

NSGs can contain multiple inbound and outbound security rules. As described in Microsoft’s article, Network Security Groups, these enable you to filter traffic by source and destination IP address, port, and protocol. Therefore, your NSG should contain the outbound rules required for Azure WVD and detailed in this Required URL list.

An NSG is free and is simply an access control list [ACL], it is not intelligent like a Firewall. However, if you need application rules and web filtering, you can configure all the AVD traffic to go through a firewall using a route table.

This could be your own, on-premise firewall if you’re connecting to your Azure environment across a site-to-site VPN or a network virtual appliance [NVA] in Azure. There are a range of third-party solutions in Azure Marketplace or Azure Firewall, which provides managed, cloud-based network security and is a fully stateful firewall service.

See the following video from The Azure Academy on AVD network security using VNet, NSGs and Azure Firewall as well as this Microsoft article for more information on using Azure Firewall to protect AVD deployments.

Protect against operating system, application and software vulnerabilities

Identifying malicious software and software vulnerabilities within your operating system [OS] and applications is the key to proactive, preventive security measures to keep your Azure Virtual Desktop environment safe.

Enabling end point security for your session host virtual machines [VMs] protects your overall AVD deployment from malicious software. Tools like Windows Defender and ATP [Advanced Threat Protection] proactively address OS and application-level vulnerabilities, identifying problem spots through vulnerability assessments for server operating systems. Read the deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure [VDI] environment to configure your VMs for optimal protection and performance.

Apply patches and security updates

Regular patches and security updates to your OS and applications ensure that your Azure WVD environment is well protected.

You can regularly replace the session hosts using a new patched image as we describe in our blog post, Eight tips on how to manage Azure Virtual Desktop [WVD] . This also lets you update or add any new applications. Alternatively, as the following Microsoft article explains you can use Microsoft Endpoint Configuration Manager to configure automatic updates for Windows 10 on your AVD session hosts.

Contact us for a free discussion with our certified Azure Virtual Desktop consultants for further guidance on all the security features that come with AVD.

AVD - Book your free consultation